search

rynop / dynamodb-local

A wrapper for AWS DynamoDB Local, intended for use in testcases
MIT License
52 stars 30 forks source link

Solve vulnerability alert for CVE-2024-28863 #53

Closed joshuanapoli closed 2 months ago

joshuanapoli commented 4 months ago

Upgrading tar solves the vulnerability alert for CVE-2024-28863 in projects that depend on dynamodb-local.

Bumps tar from 4.4.19 to 6.2.1.

jeffsays commented 4 months ago

bump @rynop

jeffsays commented 2 months ago

bump again @rynop

rynop commented 2 months ago

@jeffsays or @joshuanapoli can either confirm this upgrade does not regress anything? Unfortunately, my free time has gone to 0 so I can't afford to spend time here

WtfJoke commented 2 months ago

TLDR: We can go for the latest version 7.4.3 without any issues

@rynop I've upgraded tar to ^7.4.3 and had no issues with it in our project (if you want I can also open a PR for going straight to v7 instead of v6, so any new PR is less likely to be opened).

I did not notice any breaking changes in the api of tar (as it still works). The only breaking change library side is that you can not use it in node 6 and 8 anymore (but I dont think anybody is on that version anymore)

Drop support for node 6 and 8

EDIT: Created PR https://github.com/rynop/dynamodb-local/pull/54 in case you want to go straight to tar v7 (there I've also included details how I tested)

rynop commented 2 months ago

Closing in favor of https://github.com/rynop/dynamodb-local/pull/54#pullrequestreview-2280979809